Re: Cell Phone Gun
Thanks to Interesting People and Matthew Gaylor here is the ABC News report of December 6, 2000, on the cell phone gun: http://abcnews.go.com/sections/world/DailyNews/phone001205.html
Re: Cell Phone Gun
On Mon, 13 Aug 2001, John Young wrote: > Thanks to Interesting People and Matthew Gaylor here is the > ABC News report of December 6, 2000, on the cell phone gun: > > http://abcnews.go.com/sections/world/DailyNews/phone001205.html What's the big deal? A polished, greased metal thorn, spool of carbon and/or kevlar tape, epoxy resin, electrically ignited pyrocharge (crushed minibulb with intact filament), trigger switch with a cover slip, maybe coded if you want to get real fancy, lithium cell, capacitor. There's not enough metal in the thing to trigger the metal detector, it can look as about anything (flashlight preferrable).
Re: NSA's new mode of operation broken in less than 24 hours (fwd)
-- Forwarded message -- Date: 11 Aug 2001 00:43:19 GMT From: David Wagner <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Newsgroups: isaac.lists.coderpunks Subject: Re: NSA's new mode of operation broken in less than 24 hours Since I saw some discussion of NSA's Dual Counter Mode here: The analysis Pompiliu Donescu, Virgil Gligor, and I did on their mode is now available online. See below for more information. Pompiliu Donescu, Virgil D. Gligor, and David Wagner, ``A Note on NSA's Dual Counter Mode of Encryption,'' preliminary version, August 5, 2001. http://www.cs.berkeley.edu/~daw/papers/dcm-prelim.ps Abstract. We show that both variants of the Dual Counter Mode of encryption (DCM) submitted for consideration as an AES mode of operation to NIST by M. Boyle and C. Salter of the NSA are insecure with respect to both secrecy and integrity in the face of chosen-plaintext attacks. We argue that DCM cannot be easily changed to satisfy its stated performance goal and be secure. Hence repairing DCM does not appear worthwhile.
NSA withdraws proposed mode of operation (fwd)
-- Forwarded message --
Date: Fri, 10 Aug 2001 01:35:39 -0300
From: "Paulo S. L. M. Barreto" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: NSA withdraws proposed mode of operation
Many coderpunks probably already know the details; anyway, here's the story.
Phillip Rogaway's description of the weaknesses found in NSA's Dual Counter
Mode are at the bottom.
Enjoy,
Paulo.
-- Forwarded message --
Date: Thu, 09 Aug 2001 07:25:34 -0400
From: Robert Shea <[EMAIL PROTECTED]>
Subject: Dual Counter Mode (DCM)
On behalf of Brian Snow, Technical Director, Information Assurance, NSA,
the following message is forwarded to the AES Team at NIST:
NSA believes that a license-free high-speed integrity-preserving
mode
of operation is needed for the Advanced Encryption Standard, and was
pleased to submit the "Dual Counter Mode" (DCM) as a participant in the
series of AES Modes Workshops sponsored by NIST.
Recently Virgil Gligor and Pompiliu Donescu of the University of
Maryland, Phillip Rogaway of the UC Davis and Chiang Mai University,
David Wagner of Berkeley, and possibly others, have produced results
concerning the secrecy and integrity claims made for DCM. We commend
them for their work
We withdraw the Dual Counter Mode for consideration as a mode of
operation for AES at this time, while we consider the observations and
their
ramifications. We believe a license-free high-speed integrity-preserving
mode
of operation is still needed for AES, and will continue to work on this
problem
as well as encourage others to do so.
Brian D. Snow
Technical Director
Information Assurance Directorate
National Security Agency
--
Topic: Comments on "Dual Counter Mode" (manuscript date: 4 July 2001)
(a modes-of-operation proposal by Mike Boyle and Chris Salter)
From: Phillip Rogaway
UC Davis and Chiang Mai University
Date: Aug 4, 2001
--
1. DEFINITION OF DCM
The definition of DCM isn't real clear, but this is what I understand.
Let
P = P_1 P_2 ... P_j
be the plaintext to encrypt, where one assumes each |P_i|=n and j>0.
Let Key = (K, x_0) be the DCM key, where K keys an n-bit block cipher E
(I refuse to use "W" for the block length!) and x_0 is a n-bit string.
For concreteness, say n = 128. Let N be an n-bit nonce.
(The authors specify N = SEQ | SPI | padding, but I shall ignore this,
it being, to me, an inappropriate mixing of an application of a mode
and the definition of that mode.) The authors map (N, x_0) into a
sequence of offsets (they call them "fills")
y_0 y_1 y_2 ... y_j y_{j+1}
by
y_0 = x_0 + N // addition mod 2^n, for example
and, for i>0, y_i = multx(y_{i-1}), where, say,
/ (a << 1) if msb(a)=0
multx(a) = |
\ (a << 1) xor 0^{120}1111 if msb(a)=1
That is, y_i = (x_0 + N) * x^i, where the multiplication is
in GF(2^n). Now define DCM_Key (N, P) as
C = C_1 C_2 ... C_j C_{j+1}
where
C_i = E_K( P_i xor y_i) xor y_i for i in [1..j]
checksum = P_1 xor ... xor P_j xor N
C_{j+1} = E_K(checksum xor y_{j+1}) xor y_0
2. COMPARISON WITH IAPM
DCM is identical to IAPM except
(a) IAPM omits the nonce N from the checksum (why these
authors include the nonce I do not know); and
(b) IAPM suggested different (and smarter) ways to make
the offsets.
3. THE CHANGES DON'T WORK
The changes to IAPM break it; one can see rather easily that
DCM does not achieve the usual definitions for privacy or
authenticity.
3.1 NO SEMANTIC SECURITY (the customary privacy definition)
For simplicity, assume lsb(x_0)=0.
(This happens half the time so there is no
problem making this assumption.) First observe that nonces with
related values map to offsets with related values. In particular,
nonces N and (N xor 1) (in a context like this "1" means 0^{n-1}1)
map to offsets the first few of which are:
N |--> y_0, y_1, y_2
N xor 1 |--> y_0 xor 1, y_1 xor 2, y_2 xor 4
Let the adversary ask a query DCM_Key(0, 0), obtaining a ciphertext
that starts with first block C_1; now note that first block of
DCM_Key(1, 2) will be C_1 xor 2. This violates privacy.
(For example, you can easily tell apart the sequence of
messages 0, 0 and 0, 2 when they are DCM-encrypted using
nonces 0 and then 1.) [Reminder: my notation is
ciphertext = DCM_Key(nonce, plaintext)]
3.2. NO AUTHENTICITY OF CIPHERTEXTS (the customary
authenticity definition)
For convenience of description, assume that the first two bits
and the last two bits of x_0 are 00 (which happens 1/16 of
the time, anyway). Let the adversary ask queries:
DCM_Key(0, 0) --> getting C_1 C_2.
DCM_Key(1,
RE: Traceable Infrastructure is as vulnerable as traceable messa ges.
> [EMAIL PROTECTED][SMTP:[EMAIL PROTECTED]] wrote: > > Microsoft, as a whole, is incompetent at security. All > supposedly secure software coming out of Microsoft varies from > poor to worthless. Does anyone doubt it? They take standard > well known methods and make well known bungles in applying it and > customizing it. > Microsoft's forte is making money. They do this by spending hugely on what people think they want (ease of use), and not wasting resources on things which do not impact market share. If MS ever decided that they were losing money due to poor security, they would get good at it, fast. How many fewer copies of WinXP will they sell due to Code Red I, II, and III? Not many. A few (a very few) sysadmins may decide to go with Apache instead of IIS. It's not like many home or corporate users are going to switch to Linux purely due to security issues. I hate to say this, but until software developers are held (at least at the corporate level) in some way liable for their failures, there will be little or no improvement in the situation. > We do not get to see much of the spook output. What we have seen > in recent years is not good. > I'm aware of exactly two datapoints - Skipjack (which wasn't good enough that anyone wanted to use it), and the recent 'dual counter mode' snafu. That's not enough to draw broad conclusions. > During world war II the government sucked up all the best people > from the open sector, and put them to work in the secret sector. > For example most of the words greatest scientists wound up hand > making nuclear weapons. However, one would expect, with the > passage of time, that people who work in secret would suffer from > Parkinson's law, and this appears to be happening. > [...] > Microsoft produces crap security because most of their customers > do not know any better. Therefore NSA will produce crap security > because their customers are forbidden to know any better. > MS makes crap because their customers buy it. If the customers (or their insurers) insisted on security, MS would do better. (BTW, MS's security rep is now so bad, that I know of security experts who would not work for them, due to the damage it would do to their reputations). I occasionally see the argument that NSA can't retain people due to the much higher salaries, etc, in the public sector. While I have no doubt that this is partially true, there are plenty of very good people who find that the non-tangible benefits - patriotism, a sense that one's work is important, that one is a trusted member of the inner circle and privy to secret knowledge - are more than enough to make up for a civil service paycheck. No one should discount these factors just because they don't move them themselves. > James A. Donald > Peter Trei
RE: Traceable Infrastructure is as vulnerable as traceable messages.
On Mon, 13 Aug 2001, Trei, Peter wrote: > I hate to say this, but until software developers are held (at least > at the corporate level) in some way liable for their failures, there > will be little or no improvement in the situation. I think this is the wrong approach to the situation. Making people liable stifles innovation. The customers abundantly prove that they don't care. I know it, because I've talked to the customers. They might complain, but in a curiously perfunctory manner, their lips move, but their neurons don't spike. In the market, everybody is free to use more stable components for the mission critical systems. If they make a difference (apparently, not on the short run, if at all, since businesses are either operating in a largely brownian market, or are running in an irrational regime, since capable to afford very broad error margins), the marketplace will select for fitter products. If they do not, well, too bad. Where people's life are at stake the product as a whole is certified, and the producer is already liable. There's no point in introducing a Hippocrates oath for the code samurai in the field. There will be fewer programmers, the average programmer will be better, but you're paying by arresting progress. See small civilian aircraft for an illustration. If you're afraid of change, the customer eventually suffers. -- Eugen* Leitl http://www.lrz.de/~ui22204/";>leitl __ ICBMTO : N48 10'07'' E011 33'53'' http://www.lrz.de/~ui22204 57F9CFD3: ED90 0433 EB74 E4A9 537F CFF5 86E7 629B 57F9 CFD3
Re: Traceable Infrastructure is as vulnerable as traceable messa ges.
On Mon, Aug 13, 2001 at 10:30:14AM -0400, Trei, Peter wrote: > I occasionally see the argument that NSA can't retain people due > to the much higher salaries, etc, in the public sector. While I have > no doubt that this is partially true, there are plenty of very good > people who find that the non-tangible benefits - patriotism, a sense > that one's work is important, that one is a trusted member of > the inner circle and privy to secret knowledge - are more than > enough to make up for a civil service paycheck. No one should > discount these factors just because they don't move them > themselves. Right. I know people who are NSA employees, technical ones, with surprisingly enviable jobs. They put in four 10 hour days and can count it as a week. In fact, because in some areas (system administrators, hardware techs) NSA has more people than they need, the people I know often stay home one extra day a week. So that's a three day work week, with a high-five figure salary, a security clearance that will instantly get you a better paid job in the consulting/contracting industry if you leave, and the security of government work. Not a job that'll let you change the world, perhaps, but not terribly dismal either. -Declan
We are now hiring home job positions!
Our company is now hiring home job positions. There is no previous experience required. All training is provided. We are looking for anyone who is currently looking for a home job, full or part-time. You may choose your own schedule. We have limited positions available. Some of the positions include earnings of $40k a year and up. This is not a home business opportunity. This is a Home job that you will begin to get paid for the minute you start working. For job listing and applying just reply to this message or send blank e-mail to: [EMAIL PROTECTED] Home Employment Director John Lindsey PS: All website owners please contact me if your willing to help get the word out. We are trying to fill positions fast! Thanks!
Products Liability and Innovation. Was: Re: Traceable Infrastructure is as vulnerable as traceable messages.
- Original Message - From: "Eugene Leitl" <[EMAIL PROTECTED]> To: "Trei, Peter" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; "Faustine" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, August 13, 2001 7:49 AM Subject: RE: Traceable Infrastructure is as vulnerable as traceable messages. > On Mon, 13 Aug 2001, Trei, Peter wrote: > > > I hate to say this, but until software developers are held (at least > > at the corporate level) in some way liable for their failures, there > > will be little or no improvement in the situation. > > I think this is the wrong approach to the situation. Making people liable > stifles innovation. I think 30+ years of active products liability jurisprudence might disagree with you. Just in the automotive world and off the top of my head: Automatic Breaking Systems, designed failure points (crumple zones), 6mph bumpers, "safety glass," shoulder belts, passive belts, air bags and a host of other technologies or innovations that may or may not have been developed "but for" litigation are most probably the result of strict liability in products liability cases. The effect is to make safety profitable- or more accurately, to make unsafety unprofitable. See generally Posner, Hallman and the "Chicago School of Law and Economics," an entire movement in legal thought centered on the idea that you are very wrong about the effect of liability on innovation. Now less I be misinterpreted, misworded, misquoted and misunderstood by the various misanthropic types here: Do I think that software should have products liability attached to it? No. Do I think strict liability stifles innovation? No.
Re: Traceable Infrastructure is as vulnerable as traceable messa ges.
On Mon, Aug 13, 2001 at 10:30:14AM -0400, Trei, Peter wrote: > If MS ever decided that they were losing money due to poor security, > they would get good at it, fast. How many fewer copies of WinXP will > they sell due to Code Red I, II, and III? Not many. A few (a very few) > sysadmins may decide to go with Apache instead of IIS. It's not like > many home or corporate users are going to switch to Linux purely > due to security issues. Especially with the press constantly telling them "Linux is hard". Most people know that MS software is buggy and inecure. But they think that it is normal to have to reboot your computer daily and to get infected with worms through your email. After all, it's the same for all their friends and co-workers, how can they even know to expect anything else? Almost all the press tells them that MS is the only way to go and that anything else is wierd and hard to run. The unreliability and security holes are just a burden to be borne... it's remarkable how much people can tolerate if it's done to them gradually. > I'm aware of exactly two datapoints - Skipjack (which wasn't good enough > that anyone wanted to use it), and the recent 'dual counter mode' snafu. > That's not enough to draw broad conclusions. SHA-2? Still not enough to draw conclusions. Eric
RE: Products Liability and Innovation. Was: ...
> Black Unicorn[SMTP:[EMAIL PROTECTED]] > > From: "Eugene Leitl" <[EMAIL PROTECTED]> > > > On Mon, 13 Aug 2001, Trei, Peter wrote: > > > > > I hate to say this, but until software developers are held (at least > > > at the corporate level) in some way liable for their failures, there > > > will be little or no improvement in the situation. > > > > I think this is the wrong approach to the situation. Making people > liable > > stifles innovation. > > I think 30+ years of active products liability jurisprudence might > disagree > with you. Just in the automotive world and off the top of my head: > Automatic > Breaking Systems, designed failure points (crumple zones), 6mph bumpers, > "safety glass," shoulder belts, passive belts, air bags and a host of > other > technologies or innovations that may or may not have been developed "but > for" > litigation are most probably the result of strict liability in products > liability cases. The effect is to make safety profitable- or more > accurately, > to make unsafety unprofitable. See generally Posner, Hallman and the > "Chicago > School of Law and Economics," an entire movement in legal thought centered > on > the idea that you are very wrong about the effect of liability on > innovation. > > Now less I be misinterpreted, misworded, misquoted and misunderstood by > the > various misanthropic types here: > > Do I think that software should have products liability attached to it? > No. > Do I think strict liability stifles innovation? No. > [I hate to post something that makes it look as if I'm doing further BU bashing (which is not my intention), but:...] When all you have is a hammer, everything looks like a nail. There are other groups which can apply pressure than lawyers, courts and Men with Guns. Auditors and insurance companies come to mind. Schneier has noted how improvements in safe (as in a secure metal box) technology was driven not by losses, not by customers, nor by lawsuits, but rather by insurance requirements. 'You're running your ecommerce site on IIS? Ok, that's 10% extra on your premiums." (This is already starting to happen). Peter Trei
Rand report: Facecams can thwart terrorism, install them now!
- Forwarded message from Declan McCullagh <[EMAIL PROTECTED]> - From: Declan McCullagh <[EMAIL PROTECTED]> Subject: FC: Rand report: Facecams can thwart terrorism, install them now! To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Mon, 13 Aug 2001 11:48:22 -0400 X-URL: Politech is at http://www.politechbot.com/ [I've copied the author of the paper, a Rand analyst named John Woodward. He is an attorney who lives in Virginia and was most recently a CIA operations officer for 12 years, according to his bio, in addition to being the CIA Staff Assistant to the Undersecretary of Defense for Policy at the Pentagon. --Declan] From: "Thomas C. Greene" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Rand urges face-scanning of the masses Date: Mon, 13 Aug 2001 06:14:30 -0700 http://www.theregister.co.uk/content/6/20966.html Think tank urges face-scanning of the masses The famous Rand Organization http://www.rand.org, a putatively non-partisan think tank, has come out in favor of using face-scanning technology to violate the privacy of the innocent masses in search of -- you guessed it -- terrorists and pedophiles, the two most detested fringe-groups on the planet. Following the regrettable inclinations of all modern governments, a recent Rand report http://www.rand.org/publications/IP/IP209/IP209.pdf reckons that the natural rights of the majority of ordinary, law-abiding citizens should be sacrificed for the sacred mission of identifying and prosecuting a mere handful of sexually perverted or homicidal lunatics. "Biometric facial recognition can provide significant benefits to society," Rand says, and adds that "we should not let the fear of potential but inchoate threats to privacy, such as super surveillance, deter us from using facial recognition where it can produce positive benefits." Chief among these are the detection of terrorists and pedophiles, as we said. No matter that these sick individuals comprise a mere fraction of a fraction of normal human beings. No matter that detecting them requires the most outrageous government intrusions into the natural comings and goings of millions of innocent people. Rand's answer to serious questions of personal liberty is a few easily-skirted regulations which ought to allay all of our concerns. "By implementing reasonable safeguards [for government use of biometric face scanning], we can harness its power to maximize its benefits while minimizing the intrusion on individual privacy," the report chirps optimistically. Rand returns repeatedly to the controversial, and prosecutorially worthless, use of biometric face scanning at the 2001 Super Bowl http://www.theregister.co.uk/content/archive/16561.html. "While facial recognition did not lead to any arrests at the Super Bowl, there is evidence that using such a system can help deter crime. In Newham, England, the crime rate fell after police installed 300 surveillance cameras and incorporated facial recognition technology. While it is possible that the criminals only shifted their efforts to other locales, crime in Newham at least was deterred." That's rich. So it's 'possible' that local criminals moved elsewhere, is it? Anyone with an ounce of common sense knows it's certain that they did, which implies that no one will ever be safe until every dark corner of the planet is blanketed by high-tech cameras performing a sort of criminal triage on all of us. And after all, things could be worse. "The facial recognition system used at the Super Bowl was not physically invasive or intrusive for spectators. In fact, it was much less invasive than a metal detector at a public building or an inauguration parade checkpoint. In this sense, facial recognition helped to protect the privacy of individuals, who otherwise might have to endure more individualized police attention," Rand points out. Of course, no appeal to Fascism and Kafkaesque control would be complete without reference to the safety of innocent children. Rand does not let us down: "many parents would most likely feel safer knowing their children's elementary school had a facial recognition system to ensure that convicted child molesters were not granted access to school grounds." It's all very popular, but immensely dangerous, thinking. Preserving personal liberty requires that we all accept a bit of chaos, a bit of hooliganism, a bit of risk. Yes, you or I might possibly get our heads bashed in by brain-dead hooligans, or get blown up by terrorist bombers, and our little lambs might get exploited by sexual sickos if we don't keep a close eye on them. But probably not. Surely, the suffocating, risk-free environments our governments are trying so desperately to sell us to extend their powers of observation and control are far more grotesque and soul-destroying than anything a terrorist or a pedophile might ever hope to produce. . ---
Re: Traceable Infrastructure is as vulnerable as traceable messages.
On Mon, 13 Aug 2001, Eric Murray wrote: > Especially with the press constantly telling them "Linux is hard". If they listen to the press, they have only themselves to blame. Sheep frequently end as yummy lamb chops. > Most people know that MS software is buggy and inecure. But they think > that it is normal to have to reboot your computer daily and to get > infected with worms through your email. After all, it's the same for > all their friends and co-workers, how can they even know to expect > anything else? Does ignorance make you somehow immune against consequences? One can acquire new friends, or use the frigging search engine instead of the game/Bud afternoon, for starters. > Almost all the press tells them that MS is the only way to go and that > anything else is wierd and hard to run. The unreliability and Awww, my heart bleeds for the poor lambs. > security holes are just a burden to be borne... it's remarkable how > much people can tolerate if it's done to them gradually. If they tolerate it, it isn't hurting bad enough. Why don't you let Darwin sort them out? If they think NT in naval hardware context or Outlook on the ISS is a smart thing to do, why don't you let them find it out the hard way? Of course it limits your choices if you make a living in IT, but there are always niches. If it gets bad enough, you can always find a few sensible folks, or an entirely new field. -- Eugen* Leitl http://www.lrz.de/~ui22204/";>leitl __ ICBMTO : N48 10'07'' E011 33'53'' http://www.lrz.de/~ui22204 57F9CFD3: ED90 0433 EB74 E4A9 537F CFF5 86E7 629B 57F9 CFD3
South Africa moves to increase Net-surveillance, limit crypto
- Forwarded message from Declan McCullagh <[EMAIL PROTECTED]> - From: Declan McCullagh <[EMAIL PROTECTED]> Subject: FC: South Africa moves to increase Net-surveillance, limit encryption To: [EMAIL PROTECTED] Date: Mon, 13 Aug 2001 11:31:48 -0400 A quick summary of South Africa's "Interception and Monitoring" bill, which has cleared the Cabinet and is heading for a vote in the Parliament: * Internet providers and telephone companies must provide a pipe to a National Monitoring Center for Carnivoresque surveillance. "The Police Service, the Defence Force, the Agency, the Service and the Directorate must, at State expense, establish, equip, operate and maintain central monitoring centres... Duplicate signals of communications authorized to be monitored in terms of this Act, must be routed by the service provider concerned to the designated central monitoring centre concerned." * Internet providers may not "provide any telecommunication service which does not have the capacity to be monitored." A provider is responsible for "decrypting any communication encrypted by a customer if the facility for encryption was provided by the service provider concerned." This represents an attack on liberty, privacy, and autonomy, and is akin to anti-encryption rules in Russia a few years ago. Though as a practical matter, a lot would seem to turn on the definition of "provide." Does that mean giving someone an SSL-enabled web browser? IPv6 software? * The legislation bans the provision of anonymous Internet access. It says: "A service provider must... require from such person his or her full names, residential, business or postal address and identity number." * Internet providers and telcos must pay for their own surveillance. "A service provider must at own cost and within the period, if any, specified by the Minister of Communications in a directive referred to in subsection (4)(a), acquire the necessary facilities and devices to enable the monitoring of communications in terms of this Act. The investment, technical, maintenance and operating costs in enabling a telecommunication service to be monitored, must be carried by the service provider providing such a service." * Internet providers cannot reveal wiretaps. "No person who is or was concerned in the performance of any function in terms of this Act, may disclose any information which he or she obtained in the performance of such a function" (except to officials or courts). The text of the legislation is here: http://www.pmg.org.za/bills/Interception0107.htm -Declan *** http://news.bbc.co.uk/low/english/world/africa/newsid_1484000/1484698.stm Protests over SA 'snooping' bill 2001-08-13 06:10:06 By Philippa Garson in Johannesburg Protests are growing in South Africa against the country's plan to give the security services new powers to monitor terrorists and serious criminals. Opponents say the Interception and Monitoring Bill is draconian, describing it as a charter for government snooping. Given only three weeks to make submissions on the Bill, non-government organisations have been making last-ditch attempts to garner more time to respond before the 13 August deadline. The bill was quietly passed by South Africa's Cabinet last month, largely catching the public unawares. It provides for state monitoring of all telecommunications systems, including mobile phones, internet and e-mail, once permission has been granted by relevant authorities. In most cases a judge must grant the order, but in some instances a police or army officer of a particular rank may do so. [...] - POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ - - End forwarded message -
RE: Products Liability and Innovation. Was: ...
> Black Unicorn[SMTP:[EMAIL PROTECTED]] > > From: "Eugene Leitl" <[EMAIL PROTECTED]> > > > On Mon, 13 Aug 2001, Trei, Peter wrote: > > > > > I hate to say this, but until software developers are held (at least > > > at the corporate level) in some way liable for their failures, there > > > will be little or no improvement in the situation. > > > > I think this is the wrong approach to the situation. Making people > liable > > stifles innovation. > > I think 30+ years of active products liability jurisprudence might > disagree > with you. Just in the automotive world and off the top of my head: > Automatic > Breaking Systems, designed failure points (crumple zones), 6mph bumpers, > "safety glass," shoulder belts, passive belts, air bags and a host of > other > technologies or innovations that may or may not have been developed "but > for" > litigation are most probably the result of strict liability in products > liability cases. The effect is to make safety profitable- or more > accurately, > to make unsafety unprofitable. See generally Posner, Hallman and the > "Chicago > School of Law and Economics," an entire movement in legal thought centered > on > the idea that you are very wrong about the effect of liability on > innovation. > > Now less I be misinterpreted, misworded, misquoted and misunderstood by > the > various misanthropic types here: > > Do I think that software should have products liability attached to it? > No. > Do I think strict liability stifles innovation? No. > [I hate to post something that makes it look as if I'm doing further BU bashing (which is not my intention), but:...] When all you have is a hammer, everything looks like a nail. There are other groups which can apply pressure than lawyers, courts and Men with Guns. Auditors and insurance companies come to mind. Schneier has noted how improvements in safe (as in a secure metal box) technology was driven not by losses, not by customers, nor by lawsuits, but rather by insurance requirements. 'You're running your ecommerce site on IIS? Ok, that's 10% extra on your premiums." (This is already starting to happen). Peter Trei
Re: Products Liability and Innovation. Was: ...
On Monday, August 13, 2001, at 10:14 AM, Trei, Peter wrote:
> [I hate to post something that makes it look as if I'm doing further
> BU bashing (which is not my intention), but:...]
>
> When all you have is a hammer, everything looks like a nail. There are
> other groups which can apply pressure than lawyers, courts and Men
> with Guns. Auditors and insurance companies come to mind. Schneier
> has noted how improvements in safe (as in a secure metal box)
> technology was driven not by losses, not by customers, nor by lawsuits,
> but rather by insurance requirements.
>
> 'You're running your ecommerce site on IIS? Ok, that's 10% extra on your
> premiums." (This is already starting to happen).
I've been pointing this out for many years, and did so at very early
Cypherpunks meetings. If you say Schneier "has noted" this, I'll take
your word.
The proper (moral, public choice theory, economically sound) approach is
for those who want more security against theft to _pay_ for it. This
through either their own choices, such as the choices I myself made for
the type of gun safe I have in my house, or through the advice and
pricing from their insurance companies. Holding a cheap safe maker
"strictly liable" for loses when thieves use tin snips to cut through
their safe is NOT the solution to the "strong safe" problem.
Unfortunately, as Declan also notes, the "men with guns" tend to go for
"do this or we will shoot you" solutions. I count mandatory air bags and
seat belt laws in this category.
Friedman's recent book "Law's Order" has many good economic analyses of
tort situations, showing in nearly all cases that free market (mutually
negotiated, noncoerced) produce more efficient results than non free
market (imposed by government, coerced) solutions. Not surprising to
libertarians, but useful to consider in the crypto context.
Bringing strict liability into the world of security and crypto would
result in the usual market distortions. As an example, one might expect
a "recommended security standard," decided upon by industry committees
(with government, probably the NSA, involvement). Like airbags, this
would then be mandated to be included in all Net connectivity and
related products. Vendors would scramble to meet this requirement. And
probably some form of escrow ("to help resolve disputes," "for the
children") would be mandated-in. And of course it probably couldn't be
"too strong."
Liability as currently interpreted can easily suppress innovation:
Westinghouse froze the design of their boiling water nuclear reactors at
roughly the 1960 level, except for minor changes in instrumentation and
construction methods. The theory being that they had been given a kind
of "safe harbor" on past designs (often done in conjunction with the
Feds, as part of military reactor and AEC-led design projects) and that
introducing innovations could alter the risk equation...even if it made
the reactors better!
Similarly, innovations in automobile design are suppressed by liability
concerns. A car maker who improves the layout of gas and brake pedals
faces lawsuits over accidents "caused" by the changes. (cf. "sudden
acceleration," aka "nitwit stepped on the wrong pedal.")
Peter Huber, in "Galileo's Revenge," notes many cases where strict
liability law has suppressed innovation. My favorite was the Florida
case where a woman claimed a CAT scan made her lose her psychic powers.
A jury awarded her $2 million in liability damages. (This also mixes in
pseudoscience issues, but the liability laws are still implicated.)
And speaking of CAT scans, or NMR, PET, etc. scans, many hospitals now
routinely order such scans in nearly all cases of minor injury. My
father went in for an exam and the doctor recommended an NMR scan of
some sort. My father asked why. The doctor: "Don't worry, your insurance
will cover most of it." My father: "I asked why I need this." Doctor:
"We really recommend it."
To cut to the chase: Hospitals recommend such scans "just in case." To
cover their asses in a possible liability suit should some problem
happen later in time. Is this "due diligence"? Well, NMR scans are not
cheap, so the cost gets passed on in the usual ways. Is the average
benefit worth it to the average patient who gets the "we recommend it"
advice? Debatable. Except there _IS_ no debate about it, certainly not
between the average patient and the average doctor.
BTW, my father said "No" to the doctor. The doctor argued, then gave up.
Apparently he felt my father was exposing _him_ to strict liability.
(Needless to say, a patient's "waiver" is challengeable in the usual
ways: "I didn't know what I was signing," "The doctor didn't explain to
me that the scan might have detected the tumor I now have," and the
other usual Mommy State whines.)
Anyway, I think imposing FDA-type oversight and medical industry-type
liability laws on the security and crypto industry would be a disaster.
Here
Apply For a Debt Consolidation Loan NOW! 29619
CONSOLIDATE DEBT OR REFINANCE YOUR HOME! At The Lowest Mortgage Cost And Rate! * You could get CASH BACK within 24 hours of approval !! * NO OBLIGATION * FREE CONSULTATION * STRICT PRIVACY Special Programs for Self-Employed Borrowers Previous Bankruptcies or Foreclosures OK!! Whether your credit rating is A+ or you are "credit challenged", all applications will be accepted! We have many loan programs - over 100 lenders. * SECOND MORTGAGES We can help you get 125% of your homes value. * DEBT CONSOLIDATION Combine all your bills into one, and save money every month!! * REFINANCING Reduce your monthly payments and Get Cash Back We have programs for EVERY credit situation. CLICK HERE FOR YOUR "FREE" QUOTE!! http://www.dio.pp.ru/user534/mortg/default.html We strongly oppose the use of SPAM email and do not want anyone who does not wish to receive our mailings to receive them. As a result, we have retained the services of an independent 3rd party to administer our list management and remove list. This is not SPAM. If you do not wish to receive further mailings, please click below and enter your email at the bottom of the page. You may then rest-assured that you will never receive another email from us again. http://www.removeyou.com Member ID 027316
Re: Products Liability and Innovation. Was: Re: Traceable Infrastructure is as vulnerable as traceable messages.
On Mon, 13 Aug 2001, Black Unicorn wrote: >Do I think that software should have products liability attached to it? No. >Do I think strict liability stifles innovation? No. I would actually like to make a smaller point here. Broadly I agree with BU, but I'd like to analyze it a little. If software actually cost money per every unit produced, products liability would make more sense because then it could become "part of" the production costs. However, given that copying bits is in fact free (copyright issues aside), adding a real per-unit expense has the potential to *dominate* the production cost. Open-source software would become impossible to produce, because the whole open-source paradigm depends on copying bits being free. I think MS would like nothing better than having products liability attached to software in general; it would solve a massive problem for them by putting open-source stuff out of production. Even though the open-source stuff is better from a security standpoint, there is effectively no one who is making enough money from it to bear the costs of product liability. Some security consultants *do* bear the cost of product liability on software they install and configure; they are paid obscene amounts of money to take that risk and do the solid configurations that minimize it, and that is as should be. The effect of product liability on the industry as a whole would be to remove the only secure products available (open-source products), making it effectively impossible for security consultants to do their jobs. Bear
Re: Products Liability and Innovation. Was: ...
- Original Message - From: "Trei, Peter" <[EMAIL PROTECTED]> To: "Eugene Leitl" <[EMAIL PROTECTED]>; "'Black Unicorn'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, August 13, 2001 10:14 AM Subject: RE: Products Liability and Innovation. Was: ... > > Black Unicorn[SMTP:[EMAIL PROTECTED]] [On products liability, strict liability and innovation]: > > The effect is to make safety profitable- or more accurately, > > to make unsafety unprofitable. See generally Posner, Hallman and the > > "Chicago School of Law and Economics," an entire movement in legal > > thought centered on the idea that you are very wrong about the effect > > of liability on innovation. > > > > Now less I be misinterpreted, misworded, misquoted and misunderstood by > > the various misanthropic types here: > > > > Do I think that software should have products liability attached to it? > > No. Do I think strict liability stifles innovation? No. > > > [I hate to post something that makes it look as if I'm doing further > BU bashing (which is not my intention), but:...] Bash all you want as long as you do it in an educated way. > When all you have is a hammer, everything looks like a nail. With a hammer as big as litigation in the United States, everything might as well be a nail. I take no position on the good or ill of this particular state of affairs. > There are > other groups which can apply pressure than lawyers, courts and Men > with Guns. Auditors and insurance companies come to mind. Both of which are just extensions of the possibility of loss through products liability suits and other legal liability. The plaintiff's lawyer is key in the mix in all of these examples. Auditors are the passthrough to investors and other interested parties of information which might indicate the company's vulnerability to such a suit. Auditors drive their customers to adopt these practices because they have a fiduciary duty to draw attention to the potentia l harm and because they are the authority to define standard practices. Insurance companies heighten their standards to adjust coverage premiums based on the company's potential vulnerability to such a suit. They judge these vulnerabilities based on the babble and/or blessings of the auditors. Exercise for the student: Name three market forces which might cause the innovation of air bags as a safety feature which are not litigation related. (Hint: it's a hard problem- it's also a pointless one because air bags were finally brought to market- they had existed for years- specifically because of 3 law suits in the United States). Do a little leg work. Who first deployed airbags in their cars in the U.S.? When? That should tell you quite a lot about how they got there. > Schneier has noted how improvements in safe (as in a secure metal box) > technology was driven not by losses, not by customers, nor by lawsuits, > but rather by insurance requirements. Which are in turn driven by losses, lawsuits and again by extension of those: customer requirements. It all comes down to what the insurance company expects to have to pay in policies and what they expect to get in premiums. What they have to pay is based on loss expectations. Those loss expectations are heightened by threat of legal liability. Those payments are irritating to the customer. The customer does a basic analysis: When is my break even point for the investment I am going to make in improved metal boxes vs. the decrease in premiums I expect as a result? It's basic econ. Very basic. Are you really trying to assert that legal liability- perceived or actual- is not the driving force behind product development in these areas in the United States? You might want to read some Posner before you comment again. (See Also Generally: Bank Robberies and Bank Security Precautions, T.H. Hannan, A Theory of Economic Loss in the Law of Torts, M.J. Rizzo, Accumulating Damages in Litigation: The Roles of Uncertainty and Interest Rates, J.M. Patell, R.L. Weil and M.A. Wolfson). > 'You're running your ecommerce site on IIS? Ok, that's 10% extra on your > premiums." (This is already starting to happen). It's been happening for years, except it comes under the careful auspice of a "SAS70 Audit" (Statement on Auditing Standards No. 70) and not a blatant MS bashing fest. SAS70 had information security provisions in it as early as 1995 or 1996. Why? Because the ABA and the AICPA- who despite much mutual animus often get together to discuss such things- thought it a good idea to introduce infosec as a section into the standard report format. (I was, _very tangentially_, involved in some of that. These were the days of Michael Baum, Verisign and the ABA, Stewart Baker, Export Control, AICPA and the Commissioners for Uniform State Law). And why not? For the ABA- it meant the possibility of servicing clients with respect to shareholder derivative suits and other liability for information security "negligence
More Liability Issues. Was: Re: Products Liability and Innovation.
- Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 13, 2001 12:34 PM Subject: Re: Products Liability and Innovation. > On 13 Aug 2001, at 9:42, Black Unicorn wrote: > > > > > - Original Message - > > From: "Eugene Leitl" <[EMAIL PROTECTED]> > > To: "Trei, Peter" <[EMAIL PROTECTED]> > > Cc: <[EMAIL PROTECTED]>; "Faustine" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > Sent: Monday, August 13, 2001 7:49 AM > > Subject: RE: Traceable Infrastructure is as vulnerable as traceable messages. > > > > > On Mon, 13 Aug 2001, Trei, Peter wrote: > > > > > > > I hate to say this, but until software developers are held (at least > > > > at the corporate level) in some way liable for their failures, there > > > > will be little or no improvement in the situation. > > > > > > I think this is the wrong approach to the situation. Making people liable > > > stifles innovation. > > > > I think 30+ years of active products liability jurisprudence might disagree > > with you. Just in the automotive world and off the top of my head: Automatic > > Breaking Systems, designed failure points (crumple zones), 6mph bumpers, > > "safety glass," shoulder belts, passive belts, air bags and a host of other > > technologies or innovations that may or may not have been developed "but for" > > litigation are most probably the result of strict liability in products > > liability cases. > > Well, nobody can say with certainty exactly what would have > happened in contrary-to-fact situations, and litigation will > probably encourage some innovations while discouraging others, Points all taken. > but it seems to me that litigation is highly unlikely to encourage > innovation overall; it seems to me that you are much more likely to > lose a case if your product is hazardous in a way that > distinguishes itself from the industry standard, even if it's > safer overall, and in any case most potential innovations don't > have anything to do with increasing safety. Points also taken. > In a more or less unregulated market, consumers are > free to value product safety as they choose. Legislation which, > say, mandates air bags appears to assume that consumers tend > to undervalue their own safety, a proposition I object to > on philosophical grounds. Liability works more or less the same > way. Think of it this way. The proposition that the strict liability doctrine makes is that certain activities are "ultra hazardous." One of these is product design. Strict liability- essentially the proposition that no showing of negligence is required for the plaintiff to prevail- is generally thought of as a mechanism to allocate the risk onto the market actor. Economically speaking this is intended to spur the innovator to "self insure" or to design safety (safety from litigation anyhow) into the product, or at least have a strong regard for it during the development process. This in contrast to the negligence standard- where the innovator has to have been shown to be willfully negligent in design and therefore a good portion of the risk of the product development is shifted back to the end user. The theory is that if your goal is to reduce accidents and claims you allow the market to incorporate that sort of risk (which in early innovation looks a lot like an externality) into the innovation process. Activities, it is argued, which cannot be made sufficiently safe to be economically viable in the market will not be undertaken because the market will not support such activities. Proponents of products liability point to this in justifying the policy. (Critics primarily point to the unfairness of assigning liability to actors who have not acted negligently). The showing for a plaintiff for products liability works something like this, although admittedly this is very simplified: 1. Plaintiff used the product according to directions. 2. Plaintiff was injured. That's pretty much it. This is why safety is a big deal in automobile design and why gun manufacturers have managed to duck major products liability issues for the most part (misuse). Since automobile design flaws of sufficient magnitude can cause death and big money law suits, the market has incorporated that component of the risk into the design cost of the product either ex ante (during the design process) or ex post (by compensating the aggrieved parties). Costs are shifted onto the market when they are passed on (ex ante or ex post) in the form of product cost. This is the way that strict liability specifically, and the legal process in general, tends to spur on innovation. > >The effect is to make safety profitable- or more accurately, > > to make unsafety unprofitable. > > Right. Safety at all costs. The cost of safety is already too > high in most industries IMNSHO. Well, I would argue that it is self adjusted by the market when we are talking about products liability. The market has put a price on safety b
Re: Products Liability and Innovation. Was: ...
On Mon, Aug 13, 2001 at 01:14:10PM -0400, Trei, Peter wrote: > other groups which can apply pressure than lawyers, courts and Men > with Guns. Auditors and insurance companies come to mind. Schneier > has noted how improvements in safe (as in a secure metal box) > technology was driven not by losses, not by customers, nor by lawsuits, > but rather by insurance requirements. Minor note: I'd argue that insurance requirements, in a free market, are in the end driven by losses or prospective losses. -Declan
Re: Products Liability and Innovation.
On 13 Aug 2001, at 9:42, Black Unicorn wrote: > > - Original Message - > From: "Eugene Leitl" <[EMAIL PROTECTED]> > To: "Trei, Peter" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]>; "Faustine" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Monday, August 13, 2001 7:49 AM > Subject: RE: Traceable Infrastructure is as vulnerable as traceable messages. > > > > On Mon, 13 Aug 2001, Trei, Peter wrote: > > > > > I hate to say this, but until software developers are held (at least > > > at the corporate level) in some way liable for their failures, there > > > will be little or no improvement in the situation. > > > > I think this is the wrong approach to the situation. Making people liable > > stifles innovation. > > I think 30+ years of active products liability jurisprudence might disagree > with you. Just in the automotive world and off the top of my head: Automatic > Breaking Systems, designed failure points (crumple zones), 6mph bumpers, > "safety glass," shoulder belts, passive belts, air bags and a host of other > technologies or innovations that may or may not have been developed "but for" > litigation are most probably the result of strict liability in products > liability cases. Well, nobody can say with certainty exactly what would have happened in contrary-to-fact situations, and litigation will probably encourage some innovations while discouraging others, but it seems to me that litigation is highly unlikely to encourage innovation overall; it seems to me that you are much more likely to lose a case if your product is hazardous in a way that distinguishes itself from the industry standard, even if it's safer overall, and in any case most potential innovations don't have anything to do with increasing safety. In a more or less unregulated market, consumers are free to value product safety as they choose. Legislation which, say, mandates air bags appears to assume that consumers tend to undervalue their own safety, a proposition I object to on philosophical grounds. Liability works more or less the same way. >The effect is to make safety profitable- or more accurately, > to make unsafety unprofitable. Right. Safety at all costs. The cost of safety is already too high in most industries IMNSHO. > See generally Posner, Hallman and the "Chicago > School of Law and Economics," an entire movement in legal thought centered on > the idea that you are very wrong about the effect of liability on innovation. > An entire movement dedicated to the idea that Eugene is very wrong? Now I'm jealous, I can be as wrong as him, wronger even. > Now less I be misinterpreted, misworded, misquoted and misunderstood by the > various misanthropic types here: > > Do I think that software should have products liability attached to it? No. > Do I think strict liability stifles innovation? No. > > On behalf of my fellow misanthropes, thanks for the clarification. George
Re: More Liability Issues. Was: Re: Products Liability and Innovation.
On 13 Aug 2001, at 13:33, Black Unicorn wrote: > The theory is that if your goal is to reduce accidents and claims you allow > the market to incorporate that sort of risk (which in early innovation looks a > lot like an externality) into the innovation process. Activities, it is > argued, which cannot be made sufficiently safe to be economically viable in > the market will not be undertaken because the market will not support such > activities. Strikes me as being a circular argument, since which activities are "sufficiently safe to be economically viable" depends on the size of the awards. > Proponents of products liability point to this in justifying the > policy. (Critics primarily point to the unfairness of assigning liability to > actors who have not acted negligently). > Less misanthropic ones, maybe. We more misanthropic critics are more likely to complain about being prevented from engaging activities which we know damn well contain an element of risk, a risk we are willing to assume because in our judgement the benefits outweigh the risks. > The showing for a plaintiff for products liability works something like this, > although admittedly this is very simplified: > > 1. Plaintiff used the product according to directions. > 2. Plaintiff was injured. > > That's pretty much it. This is why safety is a big deal in automobile design > and why gun manufacturers have managed to duck major products liability issues > for the most part (misuse). Since automobile design flaws of sufficient > magnitude can cause death and big money law suits, the market has incorporated > that component of the risk into the design cost of the product either ex ante > (during the design process) or ex post (by compensating the aggrieved > parties). Costs are shifted onto the market when they are passed on (ex ante > or ex post) in the form of product cost. I had to read this about a dozen times before it made sense to me, here's why: there's an implicit assumption here that the "damages" awarded in liability lawsuits acurately reflects the actual damages suffered by the plaintiff. The impression I get is that awards tend to be orders of magnitude larger than they should be. > > This is the way that strict liability specifically, and the legal process in > general, tends to spur on innovation. > > > >The effect is to make safety profitable- or more accurately, > > > to make unsafety unprofitable. > > > > Right. Safety at all costs. The cost of safety is already too > > high in most industries IMNSHO. > > Well, I would argue that it is self adjusted by the market when we are talking > about products liability. The market has put a price on safety by forcing > producers either to design safe, and limit ex post costs incurred by > litigation in favor of ex ante costs, or minimize safety spending and catch > the costs ex post. Either way the costs are spread over the market and at > least mostly linked to the actual effect of safety provisions in reducing > harm/accidents/etc. If a mini-van is too costly to make "safe" then it will > not be produced. That's the point of strict liability. Force the actor to > spend more time evaluating the wisdom of the action. This often necessitates > more R&D and hence more innovation. (Faster airbags, better seat belts, etc.) > Saying "the cost of safety is already too high" is probably misplaced- at > least in this isolated example of automotive manufacture. > I really don't think so. I think we're at the point where around 10-50 million dollars are spent per life saved, and I don't think most people are worth anything near that. I wouldn't even value my own life that highly; that is to say, I probably wouldn't take certain death for 50 million, because I'm not sure what I'd spend the money on if I were dead, booze and hookers would do me no good, but I'd probably take a 10% chance of death for 5 million. I suspect when you do the economical analysis, if you assume your damages awarded actually equal damages suffered, with strict liability you end up with the same products on the market and the same corporate profits as you would in a world where you assume no strict liability but that assume customers are able to correctly evaluate risks in their purchasing decisions, the main difference being that with strict liability the costs are smeared over all consumers and without it the costs are born solely by the ones that suffer mishaps. George
Re: chip fabs gearing up for AES (fwd)
On 13 Aug 2001, Dr. Evil wrote: > Copyrights expire; property doesn't. Never bought milk I guess, or a pet, or been to the beach -- natsugusa ya...tsuwamonodomo ga...yume no ato summer grass...those mighty warriors'...dream-tracks Matsuo Basho The Armadillo Group ,::;::-. James Choate Austin, Tx /:'/ ``::>/|/ [EMAIL PROTECTED] www.ssz.com.', `/( e\ 512-451-7087 -~~mm-'`-```-mm --'-
Re: chip fabs gearing up for AES (fwd)
> > Copyrights expire; property doesn't. > > Never bought milk I guess, or a pet, or been to the beach Ah, good point. To be more clear: property rights don't expire, but the property itself might. Speaking of which I think I need to clean my fridge. But I still have title to that OJ, no matter how old it is!
Terrorist and Pedophiles
J.A. Terranson wrote: >> Regarding terrorists. Our government conveniently defines a "terrorist" >> as any sub-national group that breaks the law in order to influence >> opinion. >> Note under such a definition, no recognized government can commit a >> terrorist act, even if it firebombs nuns and orphans holding kittens. > Close, but not quite. It does not require the breaking of law, only > actions which are in some way "offensive". >From Title 22 of the United States Code, Section 2656f(d) comes the favorite definition of the US State Department... "The term "terrorism" means premeditated, politically motivated violence perpetrated against noncombatant(1) targets by subnational groups or clandestine agents, usually intended to influence an audience." The footnote expands "noncombatant" to include any element of the military that is not actually engaged in formal hostilities against you at the time you attack it. So under the State Department's definition, unless official war is currently being waged around the target, all attacks on US Servicemen, and US military bases and assets, are "terrorist" attacks. Nothing Israel does to the Palestinians is "terrorist", but everything the Palestinians do in response is "terrorist," of course. According to the state department, "noncombatants" can actually be property, as opposed to people, so taking a few whacks at an oil pipeline with a baseball bat is "terrorism" too. Unless you're a government, of course. Premeditated violence by persons in no official position of authority is generally unlawful, as far as I know. Perhaps you could think up an exception, but I'm not aware of any. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"
Re: Cypherpunks, pay per use remailers, and the good ol' days
Declan wrote, quoting himself: > > Yet some form of PPU remailer could exist today: A remailer would find a > > cookie and an encrypted-to-PPU-public-key credit card in the body of the > > message it receives. It would then debit a credit card for, say, $3 and > [...] > > The usual objection to such a system would be that the feds would impose > > pressure on the banking system (or credit card companies would do it > > themselves) and prevent remailer ops from securing merchant accounts. That > > may be true, but remailers at least today aren't seen as a serious threat. > > They could get away with it for a while. > > Thinking through this a little bit more, such a system wouldn't work > well given today's technology. It would allow an attacker to know > with a high degree of certainty the truename (cardname) of someone > and link that with an encrypted message. By unwrapping it down the > chain with subpoenas and court orders, it would be possible to > get at least the last To: line if not the final text. An alternative is to pay the first remailer for the whole chain, and then to have that remailer pay the second remailer, the second remailer pay the third remailer, and so on. This way the follow-on remailers don't know who the original sender of the message was. The remailers can also batch up their payments when they are sending a bunch of messages to other remailers, perhaps even just pay the net clearing amount on a daily basis. Some discussion of this idea as a mechanism for anonymous payments is in the archives at http://www.inet-one.com/cypherpunks/dir.2000.02.28-2000.03.05/msg00302.html and follow-ups.
Re: Cypherpunks, pay per use remailers, and the good ol' , days
On 14 Aug 2001, lcs Mixmaster Remailer wrote: > An alternative is to pay the first remailer for the whole chain, and then > to have that remailer pay the second remailer, the second remailer pay > the third remailer, and so on. This way the follow-on remailers don't > know who the original sender of the message was. The remailers can also > batch up their payments when they are sending a bunch of messages to other > remailers, perhaps even just pay the net clearing amount on a daily basis. > > Some discussion of this idea as a mechanism for anonymous payments is > in the archives at > http://www.inet-one.com/cypherpunks/dir.2000.02.28-2000.03.05/msg00302.html > and follow-ups. What a circle jerk process...this sort of approach will completely swamp the operator in contractual obligations through proxies (these supposed blinding mix operators)only a lawyer could love it. -- natsugusa ya...tsuwamonodomo ga...yume no ato summer grass...those mighty warriors'...dream-tracks Matsuo Basho The Armadillo Group ,::;::-. James Choate Austin, Tx /:'/ ``::>/|/ [EMAIL PROTECTED] www.ssz.com.', `/( e\ 512-451-7087 -~~mm-'`-```-mm --'-
OPT: Slashdot | Felten Will Present SDMI Research At USENIX
http://slashdot.org/yro/01/08/13/1947257.shtml -- -- natsugusa ya...tsuwamonodomo ga...yume no ato summer grass...those mighty warriors'...dream-tracks Matsuo Basho The Armadillo Group ,::;::-. James Choate Austin, Tx /:'/ ``::>/|/ [EMAIL PROTECTED] www.ssz.com.', `/( e\ 512-451-7087 -~~mm-'`-```-mm --'-
Re: Affects of the balkanization of mail blacklisting (fwd)
Date: Mon, 13 Aug 2001 23:09:40 -0500 (CDT) From: [EMAIL PROTECTED] To: Randy Bush <[EMAIL PROTECTED]> Cc: Mitch Halmu <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: Re: Affects of the balkanization of mail blacklisting On Mon, 13 Aug 2001, Randy Bush wrote: > >> you could be right. i guess it's time i sent them another donation. > > Save it: the people MAPS has harmed neet it more. > > support low-life, slimeball, spammers? ROFL! No, I'm not talking about the spammers who were caught in maps, I'm referring to the INNOCENTS who were caught in MAPS. If the LEO community acted like MAPS does, there would have been armed revolution in the streets *years ago*. MAPS never gave a shit about facts, they cared only about their agenda - no matter who got hurt in the way. Fuckem. Vixie is a netnazi who would do us all a favor if he just blew what little brains he has left out of his left ear. -- Yours, J.A. Terranson [EMAIL PROTECTED] If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place...
Re: Affects of the balkanization of mail blacklisting
On Tue, 14 Aug 2001, Jared Mauch wrote: > > No, I'm not talking about the spammers who were caught in maps, I'm > > referring to the INNOCENTS who were caught in MAPS. If the LEO community > > acted like MAPS does, there would have been armed revolution in the > > streets *years ago*. > > > > MAPS never gave a shit about facts, they cared only about their agenda - > > no matter who got hurt in the way. > > > > Fuckem. Vixie is a netnazi who would do us all a favor if he just blew > > what little brains he has left out of his left ear. > > I think you are confused and talking about ORBS. the MAPS people > have not acted with any agenda that I've ever seen. I assure you I am not confused. ORBS was intolerably worse, but MAPS is still not something I am looking forward to seeing survive. > I'm not saying that I agree with all the things that MAPS > or Vixie has done during their lifetimes but I think they provide > a valuable service. Then of course, you are free to subscribe. > With the orbs, maps changes recently i've seen > the volume of spam increase by several orders of magnitude. Agreed. > I wish there was a clean way to filter it out. There are plenty, but most of us are too goddamn lazy to do it ourselves, and ask for an ORBS or MAPS like service to do it for us. We have NEVER had a spam problem (we've been here since 1994) going out - not a single incident (not that we probably won't haqve one *someday*, but still, it's a hell of a good track record). The SPAM problem goes up and down to be sure, but you know what? PROCMAIL is your friend. All you need to look for are the basics (ADV, Make Money, etc) and you can instatly filter 90 percent of this trash into the bitbucket. At work (not mfn.org), I get several orders of magnitude more mail (usually obnoxious at that) from the "gentle anti-spammers" than the poor "victims" get themselves! Lets get my position straight: I think spam is annoying as heel, and should not be done. I don't think that SPAM is going to cause any major social upheavals. I also disagree that all people want to be spared from SPAM, and with thaqt in mind, I believe everyone should defend themselves to the best of their interest, and leave the next guy alone: he or she probably has *way* more important things to worry about. > - Jared -- Yours, J.A. Terranson [EMAIL PROTECTED] If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place...
Re: Russian Programmer Not Eager to be Celebrity
On 13 Aug 2001, John R. Levine wrote: > I can't say I'm surprised. When he's not writing copy protection and > password cracking code, he's also one of the world's leading authors > of spamware, both programs to scrape e-mail addresses from web pages > (http://www.mailutilities.com/aee/) and to spam direct from dialups, > avoiding rate limits in the ISP's mail server > (http://www.mailutilities.com/adr/). > > While I agree that the DMCA is an asinine law, and it's doubly asinine > to try to enforce it against non-resident foreigners, Skylarov is > hardly the virtuous innocent that some press accounts suggest he is. I cannot express how fed up I am with this type of tunnel-vision HYPOCRISY. The same folks who are screaming that writing public crypto code must be covered by the 1st because "it is good" are screaming that Sklyarov is now "bad" because he writes spamware. One idiot went so far as to call for Sklyarov's *execution* because he may have written the program that was once used to send UCE/UBE to the miscreant whiner! The is same belligerently assinine argument that the anti-gunners use: a gun is designed to kill, so we must do away with the right to own them. Yes, I am aware that this politically incorrect (but logically accurate) statement is likely to get me flamed from here to hell and back (I can just see the "SPAM SUPPORTER!" pseudo-flames now...). -- Yours, J.A. Terranson [EMAIL PROTECTED] If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place...
Re: Affects of the balkanization of mail blacklisting (fwd)
The whole purpose of MAPS is the Balkanization of the internet. Balkanization of the Internet is a good thing. There should be parts of the Internet that are spam-free (that's where I want to be) and other parts where peoples' mailboxes are constantly full of get-rich-quick-find-out-anything-about-snow-white-and-the-seven-dwarves-penis-enlargement-offers. People who want that kind of mail should get it, and those who don't shouldn't.
We Need a Couple More #6D74
*Earn $2000 - $5000 weekly-starting within 3-12 weeks. Make what you deserve! *Own your own business. Control your destiny! *Money Freedom=Time Freedom *54% + Gross Profit Margins *No Selling *Work from home, No overhead, or employees. *Fabulous Training & Support *Not traditional MLM, many times more profitable *Multibillion Dollar Travel & Internet Industry The most incredible part of our business is that ALL MY CLIENTS ASK ME TO CALL THEM! DO YOU QUALIFY FOR OUR MENTOR PROGRAM? ACCEPTING ONLY A FEW NEW ASSOCIATES This is not a hobby! Serious Inquires Only!! Please reply with the following information NOW! FULL NAME: COMPLETE ADDRESS: EMAIL ADDRESS: PHONE: (Required; area code & number) BEST 2 TIMES TO CALL YOU: TO: mailto:[EMAIL PROTECTED]?subject=tell_me_more This message is sent in compliance of the new email bill section 301. Per Section 301, Paragraph (a)(2)(C) of S. 1618, further transmissions to you by the sender of this email will be stopped at no cost to you. This message is not intended for residents in the State of WA, NV, CA & VA. Screening of addresses has been done to the best of our technical ability. If you are a Washington, Virginia, or California resident please remove yourself. We respect all removal requests. Please remove at: mailto:[EMAIL PROTECTED]?subject=remove
Scott McNealy Toon
http://www.ibiblio.org/Dave/Dr-Fun/df200108/df20010808.jpg
Enclosed: Financial Info
e Earn $1500 Or More Per Week! This offer is limited to the first 49 people who contact me today! Let's face it, every business opportunity is not for everyone. You need something that fits your needs, budget, and schedule. That is why we have put together several "Real" Income Opportunities just for you. We have searched and searched and finally found and compiled the best opportunities available. I promise, you will not regret it. You will finally find something you truly can make Money with. You really can make an Extra $200 to $1,500 a Week if you have a few hours a week to work your business! You do not have to pay one dime to find out about these true money making opportunities. Just Call 1(800)964-2450 and we will show you the best, real moneymakers available. It is 100% FREE, so visit us today, do not miss out on a life changing opportunity. This is Absolutely No Risk, so Call 1(800)964-2450 Right Now, and Find The Opportunity of A Lifetime! Call 1(800)964-2450 Immediatly24 Hrs / 7 Days - Testimonials - "My very first day with less than an hour of my spare time I made over $123.00. My second day I duplicated that in less than 30 minutes." Jason Vielhem "Mr. Skeptical" --- "I literally make thousands each month from the comfort of my home, heck my couch! Thank you for changing my life forever!" Jenna Wilson --- a Send email to here to be taken from list here
Re: Russian Programmer Not Eager to be Celebrity
On Mon, Aug 13, 2001 at 09:06:48PM -0500, [EMAIL PROTECTED] wrote: > I cannot express how fed up I am with this type of tunnel-vision > HYPOCRISY. > > The same folks who are screaming that writing public crypto code must be > covered by the 1st because "it is good" are screaming that Sklyarov is now > "bad" because he writes spamware. One idiot went so far as to call for > Sklyarov's *execution* because he may have written the program that was > once used to send UCE/UBE to the miscreant whiner! There are two obvious ways to defend Sklyarov: * This person is a great guy, wife, two kids, smart, grad student, academic, researcher, programmer, cryptologist, etc. He didn't do anything except piss off Adobe, and the DMCA is unconstitional anyway, so let him go free. * Okay, Sklyarov may be a spamware writer and we may worry about his poor sense of ethics and in fact he's not someone we'd want to spend any time with in person, but he should go free since the DMCA is unconstitutional and spamware, though we hate it, is 1A-protected. I think the antispammers are taking position #2. Nobody I have read says he should be locked up because of writing spamware. -Declan
